Skip to content

Fixes #127 SCP [83, 134, 135, 136, 137, 153, 158, 160, 161, 162,] Cornucopia - Communication Security, Data Protection, Access Control #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sydseter merged 3 commits into from
Jul 3, 2025
Merged

Fixes #127 SCP [83, 134, 135, 136, 137, 153, 158, 160, 161, 162,] Cornucopia - Communication Security, Data Protection, Access Control #128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
932c814
#127 SCP [83, 134, 135, 136, 137, 153, 158, 160, 161, 162,] Cornucopi…
sydseter Jul 2, 2025
91b3070
Fixes #127 adding missing words in the wordlist
sydseter Jul 2, 2025
a80ad28
Fixes #127 adding missing words in the wordlist
sydseter Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .wordlist-en.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -524,11 +524,13 @@ wstg
wtf
www
xsaero

Roxana
Amauri
Bizerra
Ebihara
Yuuki
svn
git
BOPLA
BOLA
WebDAV
15 changes: 15 additions & 0 deletions docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,21 @@ and use the lists below as suggestions for a checklist that has been tailored fo
5. The security configuration store for the application should be available in human readable form to support auditing
6. Isolate development environments from production and provide access only to authorized development and test groups
7. Implement a software change control system to manage and record changes to the code both in development and production
8. Turn off directory listings
9. Prevent accidentally accessible and sensitive pages from appearing in search engines using a robots.txt file,
the X-Robots-Tag response header or a robots html meta tag
10. Disable unnecessary HTTP methods, such as WebDAV extensions. If an extended HTTP method that supports file handling is
required, utilize a well-vetted authentication mechanism
11. Remove unnecessary information from HTTP response headers related to the OS, web-server version and application
frameworks unless implemented to confuse an attacker
12. Ensure the .git, .svn folders or any source control metadata aren't deployed together alongside the application in away
that makes these directly accessible externally or indirectly through the application
13. Do not store passwords, secrets, connection strings, key material, secret management integrations or other sensitive
information in clear text or in any non-cryptographically secure manner on the client, in source code, or build artifacts
14. Remove or restrict access to internal application and system documentation (such as for internal APIs) as this can reveal
backend system or other useful information to attackers
15. Restrict access to files or other resources, including those outside the application's direct control using an allow list
or the equivalent thereof.

#### 2. Cryptographic practices

Expand Down